CVE-2026-25991

Name of the Vulnerable Software and Affected Versions Tandoor Recipes versions prior to 2.5.1

Description Tandoor Recipes is an application used for recipe management, meal planning, and shopping list creation. A Blind Server-Side Request Forgery (SSRF) exists in the Cookmate recipe import feature prior to version 2.5.1. The application does not properly validate the destination URL after HTTP redirects, enabling authenticated users to make the server connect to arbitrary internal or external resources. The issue resides in the cookbook/integration/cookmate.py file, within the Cookmate integration class. This can be used to scan internal network ports, access cloud instance metadata, or reveal the server’s real IP address. The vulnerable function is Cookmate.

Recommendations Update Tandoor Recipes to version 2.5.1 or later.